Quantum Key Distribution with Classical Bob 
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Secure key distribution among two remote parties is impossible when both are classical, unless some unproven 
(and arguably unrealistic) computation-complexity assumptions are made, such as the difficulty of factorizing 
large numbers. On the other hand, a secure key distribution is possible when both parties are quantum. What 
is possible when only one party (Alice) is quantum, yet the other (Bob) has only classical capabilities? We 
present a protocol with this constraint, and prove its robustness against attacks: we prove that any attempt of an 
adversary to obtain information (and even a tiny amount of information) necessarily induces some errors that 
the legitimate users could notice. 



Introduction. Processing information using quantum two- 
level systems (qubits), instead of classical two-state systems 
(bits), has lead to many striking results such as the teleporta- 
tion of unknown quantum states and quantum algorithms that 
are exponentially faster than their known classical counter- 
part. Given a quantum computer, Shor's factoring algorithm 
would render many of the currently used encryption proto- 
cols completely insecure, but as a countermeasure, quantum 
information processing has also given quantum cryptography. 
Quantum key distribution was invented by Bennett and Bras- 
sard (BB84), to provide a new type of solution to one of the 
most important cryptographic problems: the transmission of 
secret messages. A key distributed via quantum cryptogra- 
phy techniques can be secure even against an eavesdropper 
with unlimited computing power, and the security is guaran- 
teed forever. 

The conventional setting is as follows: Alice and Bob have 
labs that are perfectly secure, they use qubits for their quantum 
communication, and they have access to a classical commu- 
nication channel which can be heard, but cannot be jammed 
(i.e. cannot be tampered with) by the eavesdropper. The last 
assumption can easily be justified if Alice and Bob can broad- 
cast messages, or if they already share some small number of 
secret bits in advance, to authenticate the classical channel. 

In the well-known BB84 protocol as well as in all other sug- 
gested protocols, both Alice and Bob perform quantum oper- 
ations on their qubits (or on their quantum systems). Here we 
present, for the first time, a protocol in which one party (Bob) 
is classical. For our purposes, any two orthogonal states of 
the quantum two-level system can be chosen to be the com- 
putational basis |0) and For reasons that will soon be- 
come clear, we shall now call the computational basis "clas- 
sical" and we shall use the classical notations {0,1} to de- 
scribe the two quantum states {|0), |1)} defining this basis. 
In the protocol we present, a quantum channel travels from 
Alice's lab to the outside world and back to her lab. Bob 
can access a segment of the channel, and whenever a qubit 
passes through that segment Bob can either let it go undis- 
turbed or (1). — measure the qubit in the classical {0, 1} ba- 
sis, and (2). — prepare a (fresh) qubit in the classical basis, 
and send it. If all parties were limited to performing only 
operations (1) and (2), or doing nothing, they would always 



be working with qubits in the classical basis, and could never 
obtain any quantum superposition of the computational-basis 
states; the qubits can then be considered "classical bits"; the 
resulting protocol would then be equivalent to a fully classical 
protocol, and therefore, the operations themselves shall here 
be considered classical. We thus term this protocol "QKD 
protocol with classical Bob". One might use the name Semi- 
Quantum Key Distribution (SQKD), since only one party per- 
forms operations beyond the above. 

The question of how "quantum" a protocol should be in 
order to achieve a significant advantage over all classical pro- 
tocols is of great interest. For example, HI 0] discuss 
whether entanglement is necessary for quantum computation, 
JHt] shows nonlocality without entanglement, and Ja 01 dis- 
cuss how much of the information carried by various quan- 
tum states is actually classical. We extend this discussion 
into another domain: quantum cryptography. Such partially- 
quantum or semi-quantum protocols of various types might 
even have advantages over fully quantum protocols, if they 
are easier to implement in practice. For instance, NMR quan- 
tum computing is among the most successful implementations 
of quantum computing devices while the performed NMR ex- 
periments were proven to use no entanglement 0]] . Whether 
SQKD could also have potential practical advantages or not is 
left for future research. 

To define our protocol we follow the definition (see for in- 
stance 11) of the most standard QKD protocol, BB84. The 
BB84 protocol consists of two major parts: a first part that 
is aimed at creating a sifted key, and a second (fully classi- 
cal) part aimed at extracting an error-free, secure, final key 
from the sifted key. In the first part of BB84, Alice randomly 
selects a binary value and randomly selects in which basis to 
send it to Bob, either the computational ("Z") basis {|0), |1)}, 
or the Hadamard ("X") basis {|+), | — )}. Bob measures each 
qubit in either basis at random. An equivalent description is 
obtained if Alice and Bob use only the classical operations (1) 
and (2) above and the Hadamard 11411 quantum gate H. After 
all qubits have been sent and measured, Alice and Bob publish 
which bases they used. For approximately half of the qubits 
Alice and Bob used mismatching bases and these qubits are 
discarded. The values of the rest of the bits make the sifted 
key. The sifted key is identical in Alice's and Bob's hands 
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if the protocol is error-free and if there is no eavesdropper 
(known as Eve) trying to learn the shared bits or some func- 
tion of them. In the second part Alice and Bob use some of the 
bits of the sifted key (the TEST bits) to test the error-rate, and 
if it is below some pre-agreed threshold, they select an INFO 
string from the rest of the sifted key. Finally, an error correct- 
ing code (ECC) is used to correct the errors on the INFO string 
(the INFO bits), and privacy amplification (PA) is used to de- 
rive a shorter but unconditionally secure final key from these 
INFO bits. At that point we would like to mention a key fea- 
ture relevant to our protocol: it is sufficient to use qubits in just 
one basis, Z, for generating the INFO string, while the other 
basis is used only for finding the actions of an adversary 1 1311 . 

A conventional measure of security is the information Eve 
can obtain on the final key, and a security proof usually cal- 
culates (or puts bounds on) this information. The strongest 
(most general) attacks allowed by quantum mechanics are 
called joint attacks. These attacks are aimed to learn some- 
thing about the final (secret) key directly, by using a probe 
through which all qubits pass, and by measuring the probe af- 
ter all classical information becomes public. Security against 
all joint attacks is considered as "unconditional security". The 
security of BB84 (with perfect qubits sent from Alice to Bob) 
against all joint attacks was first proven in Jil [l^l via vari- 
ous techniques. 

Robustness. An important step in studying security is a 
proof of robustness; see for instance 111 ill for robustness proof 
of their entanglement-based protocol, and 11211 for suggesting 
a protocol secure against the photon-number-splitting (PNS) 
attack, and for proving its robustness. Robustness of a pro- 
tocol means that any adversarial attempt to learn some infor- 
mation on the key necessarily induces some disturbance. It 
is a special case, in zero noise, of the more general "infor- 
mation versus disturbance" measure which provides explicit 
bound on the information available to Eve as a function of the 
induced error. Robustness also generalizes the no-cloning the- 
orem: while the no-cloning theorem states that a state cannot 
be cloned, robustness means that any attempt to make an im- 
print of a state (even an extremely weak imprint) necessarily 
disturbs the quantum state. 

Definitions: A protocol is said to be completely robust if 
nonzero information acquired by Eve on the INFO string 
(before Alice and Bob perform the ECC step) implies 
nonzero probability that the legitimate participants find 
errors on the bits tested by the protocol. A protocol is 
said to be completely nonrobust if Eve can acquire the 
INFO string without inducing any error on the bits tested 
by the protocol. A protocol is said to be partly robust if 
Eve can acquire some limited information on the INFO 
string without inducing any error on the bits tested by 
the protocol. 

Partly-robust protocols could still be secure, yet completely 
nonrobust protocols are automatically proven insecure (Cf. 
Fig-tU- As one example, BB84 is fully robust when qubits are 
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FIG. 1: (a) Eve's maximum (over all attacks) information on the INFO string 
vs. the allowed disturbance on the bits tested by Alice and Bob, in a com- 
pletely robust (solid line), partly robust (dashed), and completely nonrobust 
(densely dotted) protocol, (b) Robustness should not be confused with secu- 
rity; Eve's maximum information on the final key vs. allowed disturbance in 
a secure protocol; such a protocol could be completely or partly robust. 



used by Alice and Bob but it is only partly robust if photon 
pulses are used and sometimes two-photon pulses are sent. 

Here we prove that our protocol for "quantum key distribu- 
tion with classical Bob" is completely robust. Another proto- 
col and a proof of its robustness are omitted for the sake of 
brevity, and will be provided in a future work. 

A mock protocol and its complete nonrobustness. Con- 
sider the following mock protocol: Alice generates a random 
qubit in the Z-basis. She chooses randomly whether to do 
nothing, or apply Hadamard gate to transform the qubit to the 
A -basis. Bob flips a coin to decide whether to measure Al- 
ice's qubit in the Z-basis (to "SIFT" it) or to reflect it back 
("CTRL"), without causing any modification to the informa- 
tion carrier. In case Alice chose Z and Bob decided to SIFT, 
i.e. to measure in the Z basis, they share a random bit that 
we call SIFT bit (that may, or may not, be confidential). In 
case Bob chose CTRL, Alice can check if the qubit returned 
unchanged, by measuring it in the basis she sent it. In case 
Bob chose to SIFT and Alice chose the X basis, they discard 
that bit. The above iteration is repeated for a predefined num- 
ber of times. At the end of the quantum part of the proto- 
col Alice and Bob share, with high probability, a considerable 
amount of SIFT bits (also known as the "sifted key"). In or- 
der to make sure that Eve cannot gain much information by 
measuring (and resending) all qubits in the Z basis, Alice can 
check whether they have a low-enough level of discrepancy on 
the X -basis CTRL bits. In order to make sure that their sifted 
key is reliable, Alice and Bob must sacrifice a random subset 
of the SIFT bits, which we denote as TEST bits, and remain 
with a string of bits which we call INFO bits (INFO and TEST 
are common in QKD, e.g., in BB84 as previously described). 

By comparing the value of the TEST bits, Alice and Bob can 
estimate the error rate on the INFO bits. If the error rate on the 
INFO bits is sufficiently small, they use an appropriate Error 
Correction Code (ECC) in order to correct the errors. If the 
error rate on the AT -basis CTRL bits is sufficiently small, Alice 
and Bob can bound Eve's information, and use an appropriate 
Privacy Amplification (PA) in order to obtain any desired level 
of privacy. 

At first glance, this protocol may look like a nice way to 
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transfer a secret bit from quantum Alice to classical Bob: It 
is probably resistant to opaque (intercept-resend) attacks, and 
probably also against all collective attacks (where Eve uses a 
different probe in each access to each qubit). However, it is 
completely non-robust; Eve could learn all bits of the INFO 
string using a trivial attack that induces no error on the bits 
tested by Alice and Bob (the TEST and CTRL bits). She would 
not measure the incoming qubit, but rather perform a cNOT 
from it into a |0 S ) ancilla II 1 511 - If Alice chose Z and Bob 
decide to SIFT (i.e. measures in the Z-basis), she measures 
her ancilla and obtains an exact copy of their common bit, thus 
inducing no error on TEST bits and learning the INFO string. 
If, however, Bob decides on CTRL, i.e. reflects the qubit, Eve 
would perform another cNOT from the returning qubit into her 
ancilla. This would reset her ancilla, erase the interaction she 
performed, and induce no error on CTRL bits, thus removing 
any chance of her being caught. 

Note that in this mock protocol, Bob did not use classical 
operation (2) at all. In the following section we present a pro- 
tocol in which Bob always sends a qubit to Alice (making use 
of operation (2) when needed). By always returning all qubits 
he enforces Eve to delete any information she gained, or else 
some error is potentially induced. 

A Semi-Quantum Key Distribution Protocol. The follow- 
ing protocol remedies the above weakness by not letting Eve 
know which is a SIFT qubit (that can be safely measured in the 
computational basis) and which is a CTRL qubit (that should 
be returned to Alice unchanged). The protocol is aimed at cre- 
ating an n-bit INFO string to be used as the seed for an m-bit 
shared secret key. 

Let the integer n be the desired length of the INFO string, 
and let S > be some fixed parameter. 

1. Alice generates N = 8n(l + 5) random qubits in the 
Z basis. For each of the qubits, she randomly selects 
whether to apply the Hadamard gate ("X") or do noth- 
ing ("Z"). 

2. For each qubit arriving, Bob chooses randomly either to 
reflect it (CTRL) or to measure it in the Z basis and re- 
send it in the same state he found (to SIFT it). Bob sends 
the first qubit to Alice after receiving the last qubit, in 
the same order he received them. 

3. Alice measures each qubit in the basis she sent it. 

4. Alice publishes which were her Z bits and Bob pub- 
lishes which ones he chose to SIFT. 

It is expected that for approximately NJ 4 bits, Alice used the 
Z basis for transmitting, and Bob chose to SIFT; these are the 
SIFT bits, which form the sifted key. For approximately N/A 
bits, Alice used the Z basis and Bob chose CTRL; we refer 
to these bits as Z-CTRL. For approximately N / 4 bits, Alice 
used the X basis and Bob chose CTRL; we refer to these bits 
as X-CTRL. The rest of the bits (those sent in the X basis but 
chosen as SIFT by Bob) are ignored. 



5. Alice checks the error-rate on the CTRL bits and if either 
the X error-rate or the Z error-rate is higher than some 
predefined threshold P C trl the protocol aborts. 

6. Alice chooses at random n SIFT bits to be TEST bits. 
She publishes which are the chosen bits. Bob publishes 
the value of these TEST bits. Alice checks the error-rate 
on the TEST bits and if it is higher than some predefined 
threshold P TES t the protocol aborts. 

The protocol aborts if there are not enough bits to perform 
Step 6 or Step 7; this happens with exponentially small prob- 
ability. 

7. Alice and Bob select the first n remaining SIFT bits to 
be used as INFO bits. 

8. Alice publishes ECC & PA data; she and Bob use them 
to extract the ?7i-bit final key from the n-bit INFO string. 

A Proof of Robustness. We show that Eve cannot obtain 
information on INFO bits without being detectable. 

Modeling the protocol. Each time the protocol is exe- 
cuted, Alice sends to Bob a state \<f>) which is a product of 
N qubits, each of which is either |+), |— }, |0) or |1); those 
qubits are indexed from 1 to N . Each of them is either mea- 
sured by Bob in the Z basis and resent as it was measured, or 
simply reflected. Let m = {mi,m2...m r } a set of r < N 
integers 1 < mi < m,2--- < m r < N, describing the 
qubits chosen by Bob as SIFT. For i € {0, 1} , we denote 
hn = im 1 im 2 ■ ■ ■ hn r the substring of i of length r selected by 
the positions in in; of course \i m ) = \i mi i m2 . . . i mr )- 

In the protocol, it is assumed that Bob has no quantum reg- 
ister; he measures the qubits as they come in. The physics 
would however be exactly the same if Bob used a quan- 
tum register of r qubits initialized in state |0 S ) = |0 r ) (r 
qubits equal to 0), applied the unitary transform defined by 



U m \i)\W 



for i e {0, 1} , sent back \i) to Al- 



ice and postponed his measurement to be performed on that 
quantum register |?' m ); the qubits indexed by m in |z) are thus 
automatically both measured and resent, and those not in m 
simply reflected; the fcth qubit sent by Alice is a SIFT bit if 
k E m and is either |0) or |1); it is a CTRL bit if k ^ in. This 
physically-equivalent modified protocol simplifies the analy- 
sis, and we shall thus model Bob's measurement and resend- 
ing, or reflection, with U m . 

Eve's attack. Eve's most general attack is comprised of 
two unitaries: Ue attacking qubits as they go from Alice to 
Bob and Uf as they go back from Bob to Alice, where U e and 
Ue share a common probe space with initial state 10^). The 
shared probe allows Eve to make the attack on the returning 
qubits depend on knowledge acquired by Ue (if Eve does not 
take advantage of that fact, then the "shared probe" can sim- 
ply be the composite system comprised of two independent 
probes). Any attack where Eve would make Uf depend on a 
measurement made after applying Ue can be implemented by 
unitaries U e and Uf with controlled gates so as to postpone 
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measurements; since we are giving Eve all the power of quan- 
tum mechanics, the difficulty of building such a circuit is of 
no concern. 

The final global state. Delaying all measurements allows 
considering the final global state of the Eve+Alice+Bob sys- 
tem before all measurements. To state \<j>) sent by Alice, Eve 
attaches the probe |0 B ), applies Ue to 10^)10) and sends Bob 
his part of the system, N qubits. Taking into account Bob's 
probe |0 S ), the global state is now [U E <8> Im]\0 e )\4>)\0 b ) 
where Im is the identity on Bob's probe space. Then, Bob 
applies U m to his part of the system, which corresponds to 
applying Ie <S> U m to the previous global state where Ie is the 
identity on Eve's probe space. Eve's attack on the returning 
qubits corresponds to applying the unitary Up % Im and the 
final global state is 

[U F ® Im][Ie ® U m ][U E <g> I M ] |O s )|0)|O s ). (1) 

Proposition 1. If Ue induces no error on TEST bits, then 
there are states \Ei) in Eve's probe space such that for all 

i e {0,1}^ 



U E \Q E )\i) = \E i )\i) 



(2) 



If, moreover, (Ue, Uf) induces no error on CTRL bits, then 
there are states \Fi) in Eve's probe space such that for all 

i e {0,1}* 



Upmii) = \FA\i) 



(3) 



Proof. When Ue is applied onto the computational basis, 
UE\0 E )\i) = J2j If for some index k there is some 

j such that ifc ^ jk and \Eij) ^ 0, then by choosing m such 
that k £ m, Bob can detect this as an error on bit k. For 
Eve's attack to be undetectable on TEST bits, U e must thus 



= \E,. 



namely, \E< 



for 



be such that U E \0 
any j ^ i, and \Ei) = \Ei,i) satisfies Eq. (g). If Alice sent 
state |z) for i £ {0, 1}^, the global state is then \E. t )\i)\i m ) 
and Up\Ei) \i) = . \Fi,j)\j). In order for Eve's attack to be 
undetectable on Z-CTRL bits (whose index is not in m), Up 
must be such that Up\Ei)\i) = \F iti )\i), namely, \F it j) = 
for any j ^ i and \Fi) = \F^i) then satisfies Eq. (0). □ 

Corollary 1. If the attack (Ue, Uf) induces no error on TEST 
and CTRL bits, then (for all i £ {0, 1}^ and all m) the final 
global state ([7]) if\4>) = \i) is 



(4) 



Proof. Eq. © means that any of the N bits of i £ {0, 1}^ 
can be flipped at will without affecting Eve's final state \Fi). 
We thus need only prove that for any two bit strings i, i' £ 
{0, 1}^ that differ only on one bit, say bit k, the equality 
\Fi) = \Fi') holds. We assume wig that ik = and i' k = 1. If 
Alice chooses qubit k to be X-CTRL and chooses all the other 
qubits to be those of i and i 1 , then this means that the state \(f>) 
she sends is + Assume now that Bob reflects bit 

k, i.e. that k (£ m. This implies that i m = i' m . By Eq. and 
linearity, the final state is 4| + |-FV)|i')] \i m ). Since 

we are interested only in Alice's fcth qubit, we trace-out all the 
other qubits in Alice and Bob's hands. The resulting state 
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l^)|0) + 1^)11) 



(6) 



must be such that the probability of Alice measuring | — ) is 0. 
Replacing |0) and 1 1) by their value in terms of |+) and 

state © rewrites as i \Fi) + iF? 



\Fi, 



and the probability of measuring |— ) is iff | \Fi) 
Oi.e. \Fi) = \Fl>). 



\Fi>) 
-\Fi, 



□ 



Theorem 1. The protocol is completely robust: for any attack 
(Ue, Uf) inducing no error on TEST and CTRL bits, Eve's 
final state is independent of the states \<p) sent by Alice, and 
Eve is thus left with no information on the INFO string. 

Proof. By Proposition^ there is a state |Ffi na i) in Eve's probe 
space s.t. for all i £ {0, 1}^, Eve's final state = |F fina i). 
If Alice sends any superposition \<f>) = J2i c i\^) an< ^ ^ob 
chooses any set m of bits to be measured (leaving at least 
one CTRL bit). Using Eq. © with \Fi) = \F^ ua \) for all i and 
linearity gives |Ffi na i) J2i c iV)Vm) as the final global state of 
the system; Eve's probe state |-Ffi na i) is independent of i m and 
therefore of the SIFT and INFO bits. □ 

Conclusion. We presented a protocol for QKD with one 
party who performs only classical operations and proved its 
robustness. We believe that our work sheds light on how much 
"quantumness" is required in order to perform classically- 
impossible tasks in general, and secret key distribution in par- 
ticular. This work was partially supported by the Israeli MOD. 
We thank Moshe Nazarathy for providing the motivation for 
this research. 



We now show that if Eve's attack is undetectable by Alice 
and Bob, thenEve's final state \Fi) is independent of the string 
i £ {0,1}^. More precisely 

Proposition 2. If (Ue, Uf) is an attack that induces no error 
on TEST and CTRL bits, and if \Fi) is given by Eq. (0, then 
foralli,i' £ {0,1}^ 

e{0,l} N => \F i ) = \F e ). (5) 
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